Hacking public-information kiosks

A researcher at ShmooCon demonstrates how browser hot keys can expose the internal network running behind a Citrix presentation server.

Robert Vamosi Former Editor

As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.

See full bio

Robert Vamosi

Feb. 19, 2008 7:58 a.m. PT

2 min read

Public-information kiosks are supposed to allow users to find out more about a company or government agency, and that's all. But on Saturday afternoon, Shanit Gupta, a senior consultant at McAfee Foundstone, demonstrated several ways that he and others have been able to map the internal network on a system running XenApp, formerly Citrix Presentation Server.

On the demonstration screen at ShmooCon, an East Coast computer hacking conference, Gupta showed how the familiar toolbars and browser frame are missing on a system running XenApp. The idea is that on a kiosk the public can click on links only within the single page. But if there's a keyboard or a mouse present, which there often are, Gupta was able to open additional sites, exposing the internal network.

Starting with Ctrl-H, he was able to pull up the browser's history. If the history revealed no outside search engines like Google, one could also type Ctrl-O and then type in Google there. If all else fails, one could also hit Ctrl-N and open a new tab, which will show the usual address bar and toolbar for navigation.

Opening a Web site not on the public tour could allow an attacker to download and install NMAP and run a port scan of the internal network. If the browser supports Javascript, one could also run a Javascript port scanner.

Typing Ctrl-P calls up the printer; however, Gupta pointed out that you can also save to file there and, while doing so, see the internal network.

No keyboard, no problem. Gupta says simply right click on any image and chose Save As ...

Gupta's demo concluded prematurely, hampered by an overall loss of Internet connection at the conference.

Citrix says on its site that when running XenApp, "built-in endpoint scans and policy controls take into account each user's role, device characteristics and network conditions to determine which applications and data they are authorized to access." However, Gupta said that the flaws were first called to his attention at a government agency. Using the standard Internet Explorer keyboard hot keys, Gupta and partner were able to see inside the agency's network.